-
Notifications
You must be signed in to change notification settings - Fork 7.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests
- Loading branch information
Showing
12 changed files
with
569 additions
and
164 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
--TEST-- | ||
Basic bitwise stream crypto context flag assignment | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(['ssl' => [ | ||
'local_cert' => __DIR__ . '/bug54992.pem', | ||
'allow_self_signed' => true | ||
]]); | ||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} else if ($pid) { | ||
|
||
// Base SSL context values | ||
$sslCtxVars = array( | ||
'verify_peer' => TRUE, | ||
'cafile' => __DIR__ . '/bug54992-ca.pem', | ||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | ||
); | ||
|
||
// SSLv3 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLSv1 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLS (any) | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
--TEST-- | ||
TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(['ssl' => [ | ||
'local_cert' => __DIR__ . '/bug54992.pem', | ||
'allow_self_signed' => true | ||
]]); | ||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} else if ($pid) { | ||
|
||
// Base SSL context values | ||
$sslCtxVars = array( | ||
'verify_peer' => TRUE, | ||
'cafile' => __DIR__ . '/bug54992-ca.pem', | ||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | ||
); | ||
|
||
// TLSv1 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLSv1.1 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLSv1.2 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLS (any) | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
--TEST-- | ||
Server bitwise stream crypto flag assignment | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(['ssl' => [ | ||
'local_cert' => __DIR__ . '/bug54992.pem', | ||
'allow_self_signed' => true, | ||
|
||
// Only accept SSLv3 and TLSv1.2 connections | ||
'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER | ||
]]); | ||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} else if ($pid) { | ||
|
||
// Base SSL context values | ||
$sslCtxVars = array( | ||
'verify_peer' => TRUE, | ||
'cafile' => __DIR__ . '/bug54992-ca.pem', | ||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | ||
); | ||
|
||
// TLSv1.2 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// SSLv3 | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLSv1 (should fail) | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
// TLSv1.1 (should fail) | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
bool(false) | ||
bool(false) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
--TEST-- | ||
Specific protocol method specification | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(['ssl' => [ | ||
'local_cert' => __DIR__ . '/bug54992.pem', | ||
'allow_self_signed' => true, | ||
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER | ||
]]); | ||
|
||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} else if ($pid) { | ||
|
||
// Base SSL context values | ||
$sslCtxVars = array( | ||
'verify_peer' => FALSE, | ||
'cafile' => __DIR__ . '/bug54992-ca.pem', | ||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | ||
); | ||
|
||
// Should fail because the SSLv23 hello method is not supported | ||
$ctxCopy = $sslCtxVars; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321")); | ||
|
||
// Should fail because the TLSv1.1 hello method is not supported | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321")); | ||
|
||
// Should fail because the TLSv1.2 hello method is not supported | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321")); | ||
|
||
// Should succeed because we use the same TLSv1 hello | ||
$ctxCopy = $sslCtxVars; | ||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | ||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | ||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx)); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
bool(false) | ||
bool(false) | ||
bool(false) | ||
resource(%d) of type (stream) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -56,4 +56,3 @@ EOS; | |
?> | ||
--EXPECTF-- | ||
Hello World! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--TEST-- | ||
tlsv1.0 stream wrapper | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(array('ssl' => array( | ||
'local_cert' => __DIR__ . '/streams_crypto_method.pem', | ||
))); | ||
|
||
$server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} elseif ($pid) { | ||
$flags = STREAM_CLIENT_CONNECT; | ||
$ctx = stream_context_create(array('ssl' => array( | ||
'verify_peer' => false, | ||
'verify_host' => false | ||
))); | ||
|
||
$client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
for ($i=0; $i < 3; $i++) { | ||
@stream_socket_accept($server, 1); | ||
} | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
bool(false) | ||
bool(false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--TEST-- | ||
tlsv1.1 stream wrapper | ||
--SKIPIF-- | ||
<?php | ||
if (!extension_loaded("openssl")) die("skip"); | ||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required"); | ||
if (!function_exists('pcntl_fork')) die("skip no fork"); | ||
--FILE-- | ||
<?php | ||
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; | ||
$ctx = stream_context_create(array('ssl' => array( | ||
'local_cert' => __DIR__ . '/streams_crypto_method.pem', | ||
))); | ||
|
||
$server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | ||
var_dump($server); | ||
|
||
$pid = pcntl_fork(); | ||
if ($pid == -1) { | ||
die('could not fork'); | ||
} elseif ($pid) { | ||
$flags = STREAM_CLIENT_CONNECT; | ||
$ctx = stream_context_create(array('ssl' => array( | ||
'verify_peer' => false, | ||
'verify_host' => false | ||
))); | ||
|
||
$client = stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx); | ||
var_dump($client); | ||
|
||
} else { | ||
@pcntl_wait($status); | ||
for ($i=0; $i < 3; $i++) { | ||
@stream_socket_accept($server, 1); | ||
} | ||
} | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
resource(%d) of type (stream) | ||
bool(false) | ||
bool(false) |
Oops, something went wrong.